Paid Advertising
web application security lab

Fierce Domain Scan Released

Fierce domain scannerI’m really sorry I haven’t posted in the last few days. Believe it or not, it’s for a good cause. I’ve been very busy writing a new domain scanner called Fierce. I was performing an audit a few weeks ago and I realized that it was taking me a long time to uncover hosts that I needed to perform audits on. I was using all sorts of tactics but it was still taking a long time (almost a day just to find 4 hosts that could have been interesting and only one of them turned out to be). The hosts were no where near each other physically or in terms of IP space, rendering tools like nmap and unicornscan nearly useless. That frustrating experience in web application security auditing forced me to write a perl scanner named Fierce.

Some of you will remember that I wrote a tool to uncover “” and “” servers in the Alexa top 100. Well that was interesting, but it was only a precursor to Fierce. Fierce takes that same idea and magnifies it to over 300 requests. Further when it finds something on an IP it attempts to traverse up and down that IP range (within the class C) looking for other hosts that match your domain of interest using reverse DNS (or a supplemental pattern match that I added on top of it).

As a result, in just a few minutes of scanning you can uncover hundreds of hosts that are normally either not publically known or even route-able for that matter and that may be on completely separate networks. It’s actually very fast for a scanner, because it doesn’t actually try to connect to any of the machines in question, it only queries your DNS server and the DNS server of the target.

Click here to find out more about Fierce. There are a few other tools out there that attempt to do some things like this, but I wrote this because I found it to be far more effective at initial discovery (this is sort of a modern day version of host -l for those of you who were around in the early days when no one understood security). This is obviously a beta and will obviously miss stuff given how it works, but I plan on making it a lot more robust and I plan on adding a few more tests that I think will yield a lot more interesting results in the future. Questions and comments are welcome.

Happy new years, everyone!

7 Responses to “Fierce Domain Scan Released”

  1. kuza55 Says:

    I just had a quick look at how you retrieve headers, and I was wondering if it wouldn’t be better to just send a HEAD request instead of a GET request? It would seem to me that you wouldn’t generate as much traffic (sure you’d still generate a lot, but not quite so much), and would get results faster.

    But other than that, good job! I’ve always (well, for a long time anyway) wondered why there were no tools like this.

  2. kuza55 Says:

    Ugh, I forgot to mention this in my other comment, but if you’re use GET requests anyway you might as well use the rest of the response to see if sending the different hostnames to the wildcard DNS entry provides different pages, and report on that data to the user.

    And more probabalistic approach is possible with HEAD requests though. If you make a request to the wildcard IP address using no hostname, and then if an Etag header is availiable, use that to check whether they are the same, or if an Etag header is not provided, then loop through all the static looking resources referenced on the first page looking for an Etag header, and then send HEAD requests for that resource on all the servers instead of the root / resource. I think this would also require you to move to a HTTP/1.1 request instead of a HTTP/1.0 request…..

    Just some ideas though, feel free to shot them down, :)

  3. cheng Says:

    Happy new year!!
    Wish everyone an exciting year.

  4. Jungsonn Says:

    That doggy looks pretty fierce to me ;)

  5. RSnake Says:

    Kuza55, that’s not a bad idea, but really I don’t really want to impede the user’s intentions. I’ll probably just add a function to allow the user to input any syntax they want, which will aid in lots of different types of testing. Definitely on the list for future versions.

    Jungsonn, he’s a mean puppy. Watch your ankles. ;)

  6. Jungsonn Says:


    I’m going to take it for a spin today, I’ve looked in the source and it looks very nice. 1 thing though: the bruteforce scan; Is it not better to make a function to scan all possible subdomains? cause i’ve seen many other sub variations not listed?

  7. RSnake Says:

    I knew that would be the most contentious part of the program, but thus far it hasn’t made much difference how good that list is. It only needs to find a small handful and then by using traversal it ends up finding the rest on the subnets. But I’ll probably add a function later to allow for a wordlist. Then you can create your own library and it will suck it up and use that. It would be deathly slow since most of the words used are not dictionary words or even words at all, they are things like